Thanks, after some testing it turns out my $30 access point is a pos..

Thanks for quick reply!

Thank you, I presumed as much but wanted to make sure.

Well.. that's good to know! There have been a few come by with Fritzbox issues that I wonder if this wasn't their issue..

Glad ya got it working.

Found a manual (meaning outside of standard config / package) and hacky workaround, would love to hear of any improvement over that :)

Create a user in pfsense's User Manager, enable SSH access for that user with a password-less SSH key login (I'm aware it's risky, extra precautions below).

Create a script in the home user dir, show_wan_ip.sh, containing:

#!/bin/sh ifconfig mvneta0.4090 | sed -n '/.inet /{s///;s/ .*//;p;}'

Edit ~user/.ssh/authorized_keys and add the following before the key:

command="/home/user/show_wan_ip.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

This can be executed from the (less trusted) PC that connects to it over LAN:

ssh user@10.100.1.1 "/home/user/show_wan_ip.sh" 192.168.1.10

I do have it set up with a second Phase 2. I just thought there could be a better way to achieve the same result without having to go through each of the sites and adding a P2.

Thanks viragomann,

How good it is to have an external view.
It was the captive portal blocking outbound
Thank you very much

@NKOADMIN said in dose pfsense have soft NAT:

@NKOADMIN

After read the Netgate Docs

I think I need to configure the Routing Public IP Addresses instead of NAT.

I will give it a try, will post result here.

Yes, Routing Public IP Addresses resolve my issue.

now we got the correct result in Mxtoolbox

Thanks everyone

@Gertjan said in PORT FORWARD NOT WORKING IN AZURE CLOUD SINGLE NIC PFSENSE FIREWEALL:

port 22,80 and 443

port 22,80 and 443 not working, bcz I'm Only forwarded port 3389 for testing.

You are 100% correct sir! That was the problem indeed, thanks for pointing that out!

DNS rebinding and protection for it is something else: https://en.wikipedia.org/wiki/DNS_rebinding

It sounds to me like you'll need to get your PC resolving the hostname to the LAN IP of the web server. (or the WAN of the pfSense, but you might as well just use the internal IP at that point)

@viragomann I think that's what NAT is on pf, DNAT is rdr (change destination ip and keep source).
If I create an outbound rule, the resulting pf rule in /tmp/rules.debug is:

nat on $LAN inet proto tcp from LAN_NET/16 to LAN_IP/32 port 22 -> WAN_IP/32 port 1024:65535

Which doesn't work. Interestingly, if I change the mask of the translation address to WAN_IP/24, it works, but the last octet of the public ip will be wrong (it will round robin over that /24 net).
It also works if I set the translation IP to any other IP in the WAN_NET except the actual WAN_IP.

Delete 1,,2,3,4,5,6,7,8. There are useless.
Normally, on a WAN interface you have no rules at all. Exception : NAT rules ....

Rule 9 is part of a NAT rule ? There should be a "from port" as there is a "To port", the 59045.
Do not edit the firewall rule, edit the NAT rule.

What are you trying to achiueve with these WAN firewall rules ?
The NAT rule is for what ?